Custom REGEX rules for CSF.

[sahostking]

Today we had two servers blacklisted due to spam originating from contact is pages on Joomla websites that are not using captchas. Now informing customers to do so sometimes takes time and they done even do it. So we decided to look into a way that will stop it from happening all servers without the need of waiting for hundreds of our customers with outdated and no captchas on joomla sites to do so and fix the issue.

We came up with the below regex which seemed to stop them.

Code: Select all

# JOOMLA CONTACT PROTECTION2
if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*\(?option=com_contact&view=contact&id=/)) {
   return ("JOOMLACONTACT2",$1,"JCONTACT2","3","80,443","86400");
}

Hope it helps someone with similar problem.

[promoauto]

Hello,
this post is great and i got some great rules from here.
I am trying to set-up a new rule for Bind on Centos because i have a lot o queries:
Mar 23 12:18:10 mail named[12986]: client 54.39.84.132#10685: query (cache) './ANY/IN' denied,
so my regex look's like this:
^.* named\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) client (\S*) \(query (cache) './ANY/IN'\): denied
and the rule:
if (($globlogs{CUSTOM5_LOG}{$lgfile}) and ($line =^.* named\[\d+\]:? \S+ \([^\[]+\[(\S+)\]\) client (\S*) \(query (cache) './ANY/IN'\): denied/)) {
return ("Blocare named",$2,"Named scan","2","53","3600");
}
i am missing something here because it does not work. Any help is more than appreciated.

[Sergio]

@promoauto
I think you have missed the "/" at the start of your rule,

Try to add the "/" after the equal sign, like this:
($line = /^.* named\[\d+\]:? \S+....

Sergio

[lucasdomonte]

Hi all,

Just a quick (or not so much) follow-up on my question..
i've got it working nearly exactly as i like -- i can't figure out how to capture and print the timestamp in human-readable format--

here it is for anyone curious:

First, the jail.local file:

Code: Select all

[csf-my-allow]
enabled = true
bantime=86400
findtime=600
usedns = raw
filter=csf-my-allow-filter
action=csf-my-allow[name=%(__name__)s]
maxretry = 1
logpath = /var/log/maillog
backend = polling

Next, the filter (note that the timestamp does not work as of yet) called csf-my-allow-filter:

Code: Select all

[Definition]
failregex = ^<F-TIMESTAMP>.*</F-TIMESTAMP> host dovecot: imap-login: Login: user=<<F-USER>\S+@\S+</F-USER>>, method=\S+, rip=<HOST>, lip=(\d{1,3}\.){3}\d{1,3}, mpid=\S+, \S+, session=<\S+>$
mode = normal
maxlines = 1
ignoreregex =

And, finally, the action, called csf-my-allow:

Code: Select all

[Definition]
actionstart =
actionstop =
actioncheck =
actionban=csf --tempallow <ip> 86400 IMAP login <F-USER>
# eventually:
# actionban=csf --tempallow <ip> 86400 IMAP login <F-USER> - <F-TIMESTAMP>

PS: i am the only WHM admin on these servers, which is why i'm taking the liberty of reporting the email account along with the IP..
i suppose it might be better to do this, to just capture the domain name:
\S+@<F-USER>\S+</F-USER>

Did you get a solution for this? I'm having the same problem!

[diegoweb]

Hey guys!

I'm using this regex to block attemps to get into xmlrpc.php file. It works great, unfortunately it only works for the root domain folder.

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST|HEAD) \/+xmlrpc\.php.*" /)) {
    return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","3600","1");
}

Could someone with better regex knowledge tune this regex to get xmlrpc in any subfolder, and not only the root folder?
ex.:
domain.tld/wp/xmlrpc.php
domain.tld/site/xmlrpc.php
domain.tld/site/1/xmlrpc.php
etc.

Maybe this is enough?

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST|HEAD) .*xmlrpc\.php.*" /)) {
    return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","3600","1");
}

System this regex is working:
CentOS 7
Virtualmin
CSF/LFD

[Sergio]

Have you tried Comodo WAF rules?
The rule 210380 blocks XMLRPC.PHP attacks and is easier to use Comodo to block offending IPs:

Once you know the modsec rule number that you want to block, use the following rule:
NOTE: for me CUSTOM1_LOG = /etc/apache2/logs/error_log

Code: Select all

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "210380"\]/i)) {
		return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
	}

Using this rule you can block more than one ModSec rule, per example:

Code: Select all

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210380|1010101)"\]/i)) {
		return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
	}

On the first example the rule will just block ModSec Rule: 210380
but on the second one the rule will block Rules: 210380 and 1010101

and if you want you can add more rules, I assume that you got the idea.

[sahostking]

Hey guys!

I'm using this regex to block attemps to get into xmlrpc.php file. It works great, unfortunately it only works for the root domain folder.

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST|HEAD) \/+xmlrpc\.php.*" /)) {
    return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","3600","1");
}

Could someone with better regex knowledge tune this regex to get xmlrpc in any subfolder, and not only the root folder?
ex.:
domain.tld/wp/xmlrpc.php
domain.tld/site/xmlrpc.php
domain.tld/site/1/xmlrpc.php
etc.

Maybe this is enough?

Code: Select all

if (($globlogs{CUSTOM1_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST|HEAD) .*xmlrpc\.php.*" /)) {
    return ("WP XMLPRC Attack",$1,"XMLRPC","10","80,443","3600","1");
}

System this regex is working:
CentOS 7
Virtualmin
CSF/LFD

Surely if you have set the log location for CUSTOM1_LOG in CSF to look at all the logs for apache which includes subdomain logs it will block all attacks to that location aswell. What makes you assume its only the main public_html dir.

[Sergio]

I am tired of all the CANVAS PRINT spam that got into the email accounts in the server and created the following 2 rules, one for the AntiSpam and one for csf.custom.rules, working both together my server is blocking the email with the AntiSpam and CSF blocks the IP that sent the email at the same time.

Both rules are working in CloudLINUX with WHM 100.0.5

First, create a rule for SpamAssassin used by MailScanner at: /etc/mail/spamassassin
FILE NAME: blacksubjects.cf

RULE:

Code: Select all

header    SECMAS_CANVASPAM Subject =~ /Canvas/i
score     SECMAS_CANVASPAM 22
describe  SECMAS_CANVASPAM Canvas Spam

Then add the following rule at: /usr/local/csf/bin/regex.custom.pm

Code: Select all

SMTPAUTH_LOG: /var/log/exim_mainlog

# BLOCKING RECURRENT SPAM

	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s<=\s\S+\sH=(?>\S+\s)+?\[(\S+)\](?>\S+\s)+?T=".*(?>canvas print)/i)) {
		return ("RECURRENT SPAM1",$1,"SPAM_RECURRENT1","1","1","1");
	}

If you got the idea, then you can play with both rules and add more spam on both rules, like this:

Code: Select all

Directory: /etc/mail/spamassassin 
FILE NAME: blacksubjects.cf

header   SECMAS_VARIOUSPAM Subject =~ /(Canvas|Asian  Bride Girl)/i
score    SECMAS_VARIOUSPAM 22
describe SECMAS_VARIOUSPAM Various Spam

- - - - - -

Add the following rule at: /usr/local/csf/bin/regex.custom.pm
SMTPAUTH_LOG: /var/log/exim_mainlog

# BLOCKING RECURRENT SPAM

	if (($lgfile eq $config{SMTPAUTH_LOG}) and ($line =~ /^\S+\s\S+\s\S+\s<=\s\S+\sH=(?>\S+\s)+?\[(\S+)\](?>\S+\s)+?T=".*(?>canvas print|Asian  Bride Girl)/i)) {
		return ("RECURRENT SPAM1",$1,"SPAM_RECURRENT1","1","1","1");
	}

Disclaimer: Use the above info at you own risk, I don't assume any responsibility if you use it.

MERRY CHRISTMAS AND HAPPY NEW YEAR 2022!!

[dascos]

An extremely symple rule for catching 404 (or wathever you like in Apache).
Used cause the "normal" access_log don't run, for me, and dunno why.

Code: Select all

if (($config{LF_APACHE_404}) and ($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+)\s+\S+\s+\[\S+\s+\S+\]\s+\S+\s+\S+.*HTTP.*404.*$/)){
    return ("404  triggerd",$1,"404trap",7,"80,443","3600","0");
}

You can use this other version as regex but you have to be ABSOLUTELY sure you don't have anithing after "404" in the 404log (see below)

Code: Select all

^(\S+) .*HTTP.* 404$

Must have this in Apache (apache.conf if using one website, other-vhosts-access-log if using vhosts)

Code: Select all

LogFormat "%404h %404v %404t %404r %404>s" 404log
CustomLog ${APACHE_LOG_DIR}/404_vhosts_access.log 404log

This way we have a /var/log/apache2/404_vhost_access.log logging like this:

Code: Select all

- - - - -
- - - - -
***.119.***.211 dev.dascos.info [11/Mar/2022:15:49:07 +0100] GET /manual/es/mod/mod_proxy_fcgi.html HTTP/1.1 404
- - - - -
- - - - -

and that's the csf log

Code: Select all

Mar 11 15:45:39 jeeg lfd[510421]: (404trap) 404  triggerd ***.94.***.96: 7 in the last 3600 secs - *Blocked in csf* for 3600 secs [LF_CUSTOMTRIGGER]

I don't find a rule for Apache to have logged only relevant 404 lines :-( The LogFormat tell Apache to log Ip, Vhost,ecc and to log *only* if we have a 404 (that's the %404h and other rules). If it's not a 404 error, Apache logs "- - - - - " so you have a log file like the one above.

Server Ubuntu 20.04
Apache 2.4.41
Csf 14.16

[dascos]

Hum...I'm try to make a better rule for Apache404 but no luck...
I'm trying this

Code: Select all

if (($config{LF_APACHE_404}) and ($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^(\S+).*(?:GET|HEAD|PUT).*HTTP.*404.*$/)) {
        $ip = $1;
        $ipblock = $ip;
        if ($config{LF_NETBLOCK_CLASS} eq "C") {
              if ($ip =~ /^(\d+\.\d+\.\d+)/) {
                 $ipblock = "$1\.0/24";
                }
        }
    return ("404 triggerd",$ipblock,"404trap",2,"80,443","3600","0");
}

but not working. IF i comment the line for the ip mask, then is running but, obviously, it catch the FULL ip, not the C class.
What I'm missing? :-D Not a guro at all in perl scripting